Skip to main content
All CollectionsTroubleshooting Server and ApplicationSSL-related Issues
How to Fix Incomplete Certificate Chain Warning?
How to Fix Incomplete Certificate Chain Warning?

This KB explains why the warnings like “Incomplete SSL Certificate Chain” or “Broken SSL Chain” occur and how you can quickly fix it.

Usama Zafar avatar
Written by Usama Zafar
Updated over 3 months ago

Table of Contents

This knowledge base article tends to explain why warnings like “Incomplete SSL Certificate Chain” or “Broken SSL Chain” occur and how you can quickly fix them.

SSL concepts sound very straightforward in that you deploy an SSL certificate to protect your website and visitors and encrypt their communication to avoid malicious actors’ intervention. Most people do not bother diving deep into SSL concepts as they prefer professionals to handle it for them when it comes to SSL certificate configuration and troubleshooting. Hence, if you are going to fix it yourself, then it is good if you understand a few SSL-related terms alongside fixing it effectively. So, let’s understand what the SSL Chain of Trust is as the chain issue arises when the SSL chain of trust is affected.

What is the SSL Chain of Trust?

Let’s first understand what Certificate Authority (CA) is. A Certificate Authority (CA), or Certification Authority (CA), is an organization that issues and manages digital security certificates, e.g., SSL/TLS certificates. These Certificate Authorities (CA) are the trusted third-party entities (such as DigiCert, Comodo, etc.). Their digital certificates are, in general, the data files to validate the identities of entities such as companies, websites, etc., securely tied with the cryptographic keys, which are used for secure communication on an unsecured network, e.g., the internet. So, when you are discussing these terms, such as Certificate Authorities (CA), root and intermediate certificates, and how SSL certificates are chained, you are referring to a concept called “SSL Chain of Trust”.

Usually, when you get/buy an SSL certificate from CAs, they provide you with your dedicated application certificate for your website and the intermediate certificate. Web browsers maintain the list of trusted root CA certificates, which are preinstalled and occasionally update automatically. So, when a web browser loads your SSL certificate, it starts chaining your application certificate to the intermediate certificate first. Then, it continues chaining until it reaches the trusted CA’s root certificate. So, this whole mechanism forms the SSL Chain of Trust— an ordered list of certificates that permit the end-user client, such as a web browser acting as receiver, to certify that the website’s server acting as the sender and the CA is trustworthy.


Now, let’s understand why the “Incomplete SSL Certificate Chain” or “Broken SSL Chain” occurs.

Why Does an Incomplete Certificate Chain Warning Occur?

Following are the reasons why warnings like “Incomplete SSL Certificate Chain” and “Broken SSL Chain” occurs:

  • When you deploy a Custom SSL Certificate using the Cloudways Platform, then you are required to add your website’s SSL certificate along with the intermediate certificate (in some cases, the Private Key is needed as well). So, if you miss installing the intermediate certificate or upload the wrong one, it can not be chained back, and the browsers will not trust the certificate. They may generate a broken chain or similar sorts of warnings.

  • Or, if your intermediate certificate becomes invalid due to revocation or expiration, you may also get to see such warnings.

How to Identify the Incomplete Certificate Chain Warning

We highly recommend verifying your SSL certificate to see if your website has a broken chain issue. It is unnecessary if you do not see such a warning in your browser, then your website visitors do not see it too, so identifying this issue is the first step so you don’t leave your visitors and website vulnerable.

Let’s see how different third-party SSL checking tools hint when the SSL certificate chain is broken.

Qualys SSL Labs

That’s how Qualys SSL Labs warns when the SSL certificate chain is broken.

SSL Shopper

That’s how SSL Shopper warns when the SSL certificate chain is broken.

Why No Padlock

That’s how Why No Padlock warns when the SSL certificate chain is broken.

Comodo SSL Store

That’s how Comodo SSL Store warns when the SSL certificate chain is broken.


How to Fix the Incomplete Certificate Chain Warning

To fix this issue, you must modify/add an active intermediate certificate. If you are a Cloudways client, it is just a matter of copying and pasting instead of running several commands on your server.

Step #1

First, you need to identify if you possess your intermediate certificate or not. When you buy an SSL certificate from any SSL vendor, they provide you with your dedicated server/application certificate in .crt or .cer file format (e.g., mydomain.crt/mydomain.cer) along with the intermediate certificate in .ca or .ca-bundle file format (e.g., mydomain.ca/mydomain.ca-bundle).

So, if you have your application certificate (.crt/.cer file) along with the intermediate certificate (.ca/.ca-bundle file) present, then you can proceed to Step# 2. Else, if you do not have an intermediate certificate, then you need to generate one, so click “Generate Intermediate Certificate” below to see the steps.

Generate Intermediate Certificate

To generate an intermediate certificate, you can use any third-party tool such as What’s My Chain Cert. Once you visit this website, you need to paste your application’s SSL certificate (.crt/.cer file) content first and click Generate Chain, as shown in the screenshot below.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor, such as Notepad for Windows, TextEdit for Mac. Please note that you need to copy and paste the whole certificate, including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

A downloadable file by your domain name will be available after clicking on the Generate Chain. The downloaded file will be your intermediate certificate.

Step #2

Now, log in to the Cloudways Platform. Once logged in, navigate to the Servers tab from the top menu bar and choose the target server on which your desired application/website is deployed.

Classic Interface

New Interface

Next, click www, located at the right-hand side of the server box. Select your target application from the drop-down list.

Classic Interface

New Interface

In the Application Management menu, select an SSL Certificate.

Classic Interface

New Interface

Step #3

Here, you will either see the Re-Install SSL option, or you will see an Install Certificate option.

So, to keep things simple, please select which option you see on your screen from the choices below, as the process varies for both.

Classic Interface

I See the “Install Certificate” Option

Step (Ⅰ)

Click Install Certificate to install the SSL certificate and its intermediate certificate.

Classic Interface

Step (Ⅱ)

A dialogue box will appear, prompting the Certificate Code and CA Chain.

  • Certificate Code refers to your application SSL certificate file content. Most SSL vendors provide this in .crt or .cer file format (e.g., mydomain.crt/mydomain.cer).

  • CA Chain refers to the certificate chain (intermediate certificate). It is usually provided in .ca or .ca-bundle file format (e.g., mydomain.ca/mydomain.ca-bundle).

Please note that these file formats and standards can vary, considering there are many SSL certificate providers with many different formats and standards. Still, if you need help, you can contact us via Live Chat or create a support ticket.

Finally, paste all the necessary details and hit Submit to deploy the certificate with the correct chain.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor, such as Notepad for Windows or TextEdit for Mac. Please note that you need to copy and paste the whole certificate, including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

Classic Interface

That’s it! Your SSL certificate with the intermediate chain should be deployed in a few minutes. You may also see a dialogue box prompting you to force HTTPS redirection if you have not forced it through the Cloudways Platform previously.

Important

If you use any Web Application Firewall (WAF) services such as Cloudflare, Sucuri, etc. or if you have implemented HTTPS redirection already using any application plugin or by modifying the .htaccess file of your application, then you do not need to force HTTPS redirection again from the Cloudways Platform to avoid your website running into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

Classic Interface

Let’s move to the final step of verifying the SSL certificate to ensure the issue is resolved.

I See the “Re-Install SSL” Option

Step (Ⅰ)

Click Re-Install Certificate to install the SSL certificate and its intermediate certificate.

Classic Interface

Step (Ⅱ)

Now, you will be prompted to enter the CRT and Key content.

  • Here, CRT content refers to your application SSL certificate file content. Most SSL vendors usually provide this in .crt or .cer file format (e.g., mydomain.crt/mydomain.cer).

  • You also need to concatenate your CA Chain, which refers to the certificate chain (intermediate certificate). It is usually provided in .ca or .ca-bundle file format (e.g., mydomain.ca/mydomain.ca-bundle). For Concatenation, you can use any text editor, such as Notepad for Windows or TextEdit for Mac.

  • All SSL certificates require a private key to work. The private key is a separate file with an extension .KEY that’s used in the encryption/decryption of data sent between your server and the connecting users. A private key is created by the certificate owner—when you request your certificate with a Certificate Signing Request (CSR).

Please note that these file formats and standards can vary, considering there are many SSL certificate providers with many different formats and standards. Still, if you need any help, you can always contact us via Live Chat or create a support ticket.

Finally, paste all the necessary details and click SUBMIT to deploy the certificate with the correct chain.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor, such as Notepad for Windows or TextEdit for Mac. Please note that you need to copy and paste the whole certificate, including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

Classic Interface

That’s it! Your SSL certificate with the intermediate chain should be deployed in a few minutes. You may also see a dialogue box prompting you to force HTTPS redirection if you have not forced it through the platform previously.

Important

If you use any Web Application Firewall (WAF) services such as Cloudflare, Sucuri, etc. or if you have implemented HTTPS redirection already using any application plugin or by modifying the .htaccess file of your application, then you do not need to force HTTPS redirection again from the Cloudways Platform to avoid your website running into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

Classic Interface

Let’s move to the final step of verifying the SSL certificate to ensure the issue is resolved.

How to Verify Your SSL Certificate

This is the final step to verifying your SSL certificate, and we have created a self-explanatory guide for it. Verification is done so you can ensure that changes are successfully made, and the issue is resolved.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.


Try managed Google Cloud hosting at Cloudways Platform to experience the top-notch performance, simplicity, and flexibility with Cloudways. In addition, Cloudways removes all your server administration and maintenance hassles, so you remain focused on your business.

Quick Tip

No more annoying hosting and limitation errors. With our WordPress hosting experience super-fast speeds, and high uptime, ensuring your website remains fast and responsive. Try Today.

Did this answer your question?